After having prepared the first draft of the new data protection law back in 2014 (which was ignored by the Government in the meantime, and even dismissed by the Ministry of Justice's introduction of a separate draft law in 2015), the Serbian Data Protection Commissioner ("Commissionaire")1 published the second draft of the new law on March 6th, 2017 ("Draft"). As announced by the Commissioner, the new Draft was necessary in order to address the deficiencies of the existing Law on Personal Data Protection and in order to harmonize the law with EU legislation, particularly with the newly enacted General Data Protection Regulation.

The Draft's key improvements include the liberalisation of data transfer to non-European countries – which wouldn't exclusively depend on the Commissioner's approval anymore (but on other alternatives as well, such as the individual's written consent or the fact that country of data destination is on the EU list of safe countries), as well as the recognition of data processing consent provided in alternative forms rather than solely the written one (e.g. the implied consent, clicking "I agree" or ticking the box online, etc.).

Additionally, the Draft makes a clear distinction between the general obligations and the ones prescribed only for companies engaged in more serious data processing activities (i.e. the ones processing sensitive personal data or data pertaining to over 250 individuals). Unlike other companies, these "major" data controllers are also required to keep the records of their personal databases and register them before the Commissionaire, adopt an internal act regulating data protection, appoint a data protection officer who passed a professional exam (or engage a third-party licensed to perform data protection activities), notify the Commissionaire (and sometimes the data subjects) of any data security breaches, etc.

The Draft also regulates certain specific and sensitive matters for the first time, such as the processing of biometric data and video surveillance, which should prevent further expansion of irregularities currently present in these areas.

Finally, instead of the existing law or the new Draft, it seems that the new Law on the General Administrative Procedure (applicable as of June 2017) will be the act finally enabling the Commissionaire to effectively enforce his decisions, by threatening the companies with "real" fines of up to 10% of their annual income in Serbia in case they fail to comply (the current limit being approx. EUR 160 per fine). It will be interesting to see whether the Commissionaire will use this opportunity in practice, as it may result in a very hot summer for some companies.

For an initial version, the Draft does indeed seem promising. Hopefully the Government will recognize the Commissionaire's efforts this time and give the Draft proper consideration, as a bit of legal certainty would go a long way for data protection standards in Serbia.